Guys, Thanks for the confirmation and taking care of this.
— Denis > On Aug 17, 2017, at 1:32 AM, Sergey Kozlov <[email protected]> wrote: > > Denis > > Also we don't use .sha extension so we already follow that rules > > On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <[email protected]> > wrote: > >> Hi, Denis >> >> Yes, we have a ticket that already takes this into account: >> https://issues.apache.org/jira/browse/IGNITE-5817 >> I think we can create both sha-256 and sha-512 checksums. >> >> Best regards >> Oleg >> >> On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <[email protected]> wrote: >> >>> Igniters, especially the release managers, >>> >>> Please consider these changes and recommendations for the next release. >> Do >>> we have any ticket that already takes this into account? >>> >>> — >>> Denis >>> >>>> Begin forwarded message: >>>> >>>> From: "Henk P. Penning" <[email protected]> >>>> Subject: .sha Release Distribution Policy >>>> Date: August 16, 2017 at 1:55:57 AM PDT >>>> To: <[email protected]> >>>> Reply-To: [email protected] >>>> >>>> Hi PMC, >>>> >>>> The Release Distribution Policy[1] changed regarding .sha files. >>>> See under "Cryptographic Signatures and Checksums Requirements" [2]. >>>> >>>> Old policy : >>>> >>>> -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) >>>> >>>> New policy : >>>> >>>> -- use .sha1 for a SHA-1 checksum >>>> -- use .sha256 for a SHA-256 checksum >>>> -- use .sha512 for a SHA-512 checksum >>>> -- [*] .sha should contain a SHA-1 >>>> >>>> Why this change ? >>>> >>>> -- Verifying a checksum under the old policy is/was not handy. >>>> You have to inspect the .sha to find out which algorithm >>>> should be used ; or try them all (SHA-1, SHA256, etc). >>>> The new scheme avoids this ambiguity. >>>> -- The last point[*] was only added for clarity. Most of the >>>> old, stale .sha's contain a SHA-1. The relatively new .sha's >>>> contain a SHA-512. The expectation is that the last catagory >> will >>>> disappear, when active projects adapt to the 'new' convention. >>>> >>>> Impact : >>>> >>>> -- Should be none ; many projects already use the 'new' convention. >>>> -- Please ask your release managers to use .sha1, .sha256, .sha512 >>>> instead of the .sha extension. >>>> -- Please fix your build-tools if you have any. >>>> >>>> Piggyback : >>>> >>>> -- The policy requires a .md5 for every package ; >>>> providing a .sha512 is recommended. >>>> Since MD5 is essentially broken, it is to be expected that >>>> in the future a .sha512 will be required. >>>> Perhaps it is wize to start providing .sha512's >>>> with your releases if you do not already do so. >>>> >>>> -- Visit http://mirror-vm.apache.org/checker/ >>>> to check the health of your /dist/-area ; >>>> my stuff ; any feedback is most welcome. >>>> >>>> Thanks ; regards, >>>> >>>> Henk Penning >>>> >>>> [1] http://www.apache.org/dev/release-distribution >>>> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums >>>> >>>> ------------------------------------------------------------ >>>> Henk P. Penning ; apache.org infrastructure volunteer. >>>> [email protected] ; http://mirror-vm.apache.org/~henkp/ >>> >>> >> > > > > -- > Sergey Kozlov > GridGain Systems > www.gridgain.com
